Next-Gen CASB Blog

Cambridge Analytica for Corporate SaaS?

Cambridge Analytica was able to extract the personal information of zillions of Facebook users via Facebook's well-provisioned API, in broad daylight. Is similar extraction possible for corporate SaaS apps?

Yes, of course.

For years, Facebook provided a sophisticated API for connected apps to extract information stored in Facebook. No matter Facebook fortified its data-centers and servers with the best and latest security technology. The APIs existed to broaden the app eco-system, so as to make Facebook's tentacles reach as far as possible. The more apps that connected to Facebook via the ubiquitous "login with Facebook" buttons, the faster Facebook spread across the globe, and the more difficult it became for users to disconnect. Facebook was unable, or more likely unwilling, to police these apps to ensure they were not used for nefarious purposes.

A similar situation exists for corporate SaaS apps. Enterprises have lots of sensitive data stored in these apps. The apps provide APIs for other apps to connect. Indeed some apps have built very rich ecosystems around their "platforms," i.e. they want customers to connect as many apps as possible so that it is difficult to get out.

Does the SaaS app encrypting your data make you safe? Not! Some apps encrypt your data for free. Others charge for encryption. But in either case, the API obediently decrypts data prior to access by connected apps. And of course, the connected apps may store copies of your data unencrypted, defeating the purpose of encryption in the first place.

In brief, you can be certain that there is a "Cambridge Analytica" for corporate SaaS. And the more apps in the eco-system of the SaaS apps, the more likely there are nefarious, or at least negligent apps, connected to your data. Paying the SaaS vendor to encrypt your data does nothing to protect you.

If your data is valuable, CASB encryption is the way to go. Encrypt your most important data so that you and only you can decrypt it. APIs and connected apps have access to the cipher-text. Sure, your SaaS vendor will tell you this is a bad thing. Bad for whom, you or them?